Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rif: VERY simple 'virtual' honeypot

From: Alberto Beretta <punkbere () tin it>
Date: Fri, 8 Mar 2002 17:05:00 CET
The tool LaBrea can detect scan against virtual IP address.
I'm working in a project in which Labrea and Honeypot work together. LaBrea reply to packet generated for network 
scanning. The Idea is to modify LaBrea to allow a real connection to virtual addresses: this traffic is forwarded to a 
honeypot. So you can detect the scan and gain information about hacker's metodologies.


Da: Lance Spitzner <lance () honeynet org>
Data: 08/03/2002 05:34
A: "Snort-Users \(E-mail\)" <snort-users () lists sourceforge net>,
  <honeypots () securityfocus com>
Oggetto: VERY simple 'virtual' honeypot

Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?

-- 
Lance Spitzner
http://project.honeynet.org


---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribe () securityfocus com
For additional commands, e-mail: honeypots-help () securityfocus com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: